fix(PictureMaker.default): Fix a xss vuln (unsafe jinja2 template rendering). Thanks to @.yucheng2663. ; chore(interface): update format of context.

.gitignore

@@ -10,8 +10,3 @@ config/traceback.json
 test
 testfiles
 test.py
-## for sljh
-utils/sljh
-PictureMaker/sljh.py
-interface/sljh.py
-frontend/sljh

PictureMaker/default.py

@@ -4,7 +4,8 @@ import time
 from typing import List
 
 from playwright.sync_api import sync_playwright
-from jinja2 import Environment, FileSystemLoader
+from jinja2 import Environment, FileSystemLoader, StrictUndefined
+from jinja2.sandbox import SandboxedEnvironment
 
 from config.config import TMP, TZINFO
 from utils.err import easyExceptionHandler
@@ -31,7 +32,12 @@ def render(post_context:dict) -> tuple[list[str], int]:
             page = context.new_page()
 
             # render template
-            env = Environment(loader=FileSystemLoader(TEMPLATE_DIR))
+            env = SandboxedEnvironment( # sandbox -> 降低SSTI的影響範圍
+                loader=FileSystemLoader(TEMPLATE_DIR), 
+                autoescape=True # auto escape -> prevent xss
+            )
+            env.undefined = StrictUndefined
+
             template = env.get_template('index.jinja2')
             main = {
                 "id": post_context["id"],
@@ -105,7 +111,7 @@ def gen(context:dict) -> List[str]:
     # generate image
     files, err = render(context)
     if err:
-        return None
+        return []
     
     return files
 

TODO

@@ -1,3 +1,7 @@
+[ ] Vuln: XSS in PictureMaker.default : jinja2沒開模板轉義
+[ ] Hash只用timestamp當作seed可能不夠(會撞)
+[ ] backend.utils.fileProcessor那邊，考慮改善寫法跟加強安全(尤其是考慮關閉管道)
+
 [ ] 處理因為ig媒體畫面比例固定，但是使用者圖片畫面比例不固定導致的問題
     看要不要幫使用者的媒體填充畫面到正確的比例
 [ ] api: ID查IGID，IGID反查ID

backend/utils/fileProcessor.py

@@ -28,14 +28,14 @@ def image_conventer(filename:str, binary: bytes) -> int:
         return 1
 
 ## video (and gif)
-def read_output(pipe, q):
-    """ 用於非阻塞讀取 ffmpeg 的 stdout """
-    while True:
-        data = pipe.read(4096)
-        if not data:
-            break
-        q.put(data)
-    q.put(None)  # 標記輸出結束
+#def read_output(pipe, q):
+#    """ 用於非阻塞讀取 ffmpeg 的 stdout """
+#    while True:
+#        data = pipe.read(4096)
+#        if not data:
+#            break
+#        q.put(data)
+#    q.put(None)  # 標記輸出結束
 
 
 def video_conventor(filename:str, oriFormat:str, binary:bytes) -> int:

interface/example.py

@@ -64,7 +64,7 @@ def get(index:int, media:bool=True) -> dict | None:
 an_example_of_context = {
     "id": int,
     "metadata": {
-        "create_time": int | datetime.datetime,
+        "create_time": datetime.datetime,
         "author": str,
         "tags": list[str],
         "category": str,